Summary
An update is available that resolves vulnerability in the product versions listed as affected in this advisory. A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information.
The following versions of ABB CoreSense HM and CoreSense M10 are affected:
- CoreSense™ HM <=2.3.1, 2.3.4 (CVE-2025-3465)
- CoreSense™ M10 <=1.4.1.12, 1.4.1.31 (CVE-2025-3465)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.1 | ABB | ABB CoreSense HM and CoreSense M10 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
Background
- Critical Infrastructure Sectors: Food and Agriculture, Commercial Facilities, Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2025-3465
A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information.
Affected Products
ABB CoreSense HM and CoreSense M10
ABB
CoreSense™ HM<=2.3.1, CoreSense™ M10<=1.4.1.12
fixed, known_affected
Remediations
Vendor fix
The vulnerabilities are corrected in the following version: CoreSense™ HM v2.3.4 & CoreSense™ M10 v1.4.1.31 ABB recommends that customers apply the update at the earliest convenience.
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Acknowledgments
- ABB reported this vulnerability to CISA.
Notice
The information in this document is subject to change without notice and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damage of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damage. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.
Mitigating factors
The path traversal vulnerability is only exploitable when the attacker has local access to the machine hosting the web application (i.e., access to localhost). To mitigate this vulnerability, the affected products should be configured to restrict local access to authorized users only, ensuring that untrusted users cannot interact with the application directly on the host system. ABB has restricted file downloads to a specific directory designated sole
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: